CVE-2024-21538

CVSS V2 None CVSS V3 None

Description

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Overview

CVE ID
CVE-2024-21538

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2024-11-08T05:00:04.695Z

Last Modified Date
2024-11-08T05:00:04.695Z

Weakness Enumerations

CWE	URL
CWE-1333	http://cwe.mitre.org/data/definitions/1333.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
https://github.com/moxystudio/node-cross-spawn/pull/160
https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f
https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-21538
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21538

History

Created	Old Value	New Value	Data Type	Notes
2024-11-08 13:43:33				Added to TrackCVE